note
matsmats
<P>If your password is connected to a username, and said data is registered in a database - count the login attempts there. My favourite implementation of this is to double the response time from the server for every failed login-attempt on a username, slowing a brute force password guessing attack to a halt, but not necessarily bothering a regular user with throwing him out or something annoying like that. </P>
<P>Basically, as <b>merlyn</B> points out, you can't trust what is sent to you, so you have to connect the count of login tries to something you know is true. A username connected to the password would be most natural, I think.</P>
<P>Depending on the scale of what you're doing this for, an IP-adress check could be enough. The false negatives from AOL/dialups are not likely, I think (depending on the strength of your passwords) - and false positives from proxies could be taken care of by raising the number of allowed attempt to cover what goes as a expected count from said proxies. Not perfect, though.</P>
289569
289569